I hacked my colleague’s multiplayer rocket game. I mainly did it for kicks. But also to make an important point about the server never trusting a client.
My colleague is developing a small game in his spare time. It’s based upon the Amiga classic Roketz and uses Google playn to cross compile from Java to various native platforms, such as web browsers, Android, and iOS.
I won’t disclose the URL of the beta since it’s not yet launched but here is a sneak preview of the browser version:
Being a multiplayer game, there is usually more than one rocket. When hit by enemy fire, your rocket will take damage and eventually explode. You use thrust and rotation to stay clear of walls. There are landing pods where you can recharge. This pretty much sums up the gameplay of this charming, retro style game.
Having followed the development on the sideline I had gathered a few pieces of information that made made me conclude that hacking the game would be feasible. I knew that all clients communicated with the server using JSON and web sockets. Also I knew that, by design, each client is responsible for keeping track of the state (such as position and velocity) of its own rocket and all shots fired from this rocket as well as for communicating this to the server. The server, in turn, would pass information about rocket and shot state of all other players. Clients would do hit detection themselves and when a rocket took sufficient damage its client would tell the server about this. I argued that there would be plenty of ways to hack this. My colleague stated that this was largely a hypothetical problem. And so, the challenge was on.
Fiddler comes with a very powerful scripting language. Using this, I configured Fiddler so that if I hit the rocket game URL at post 8888, it would serve the files as if I had hit port 80 — except for a few select files which I made Fiddler grab from my own domain (I’m sure that I could have stored them locally as well, I just found the other solution first).
Next, I set up Fiddler as reverse proxy as described in the first section of this instruction: http://fiddler2.com/documentation/Configure-Fiddler/Tasks/UseFiddlerAsReverseProxy
It worked! If I went to the normal rocket game URL but I specified port 8888, I got a fully functional game, but Fiddler substituted my copies of the files (as was easily verified by a console.log() statement):
Here is the malicious piece of code that I added:
Behold the final result. Distributed from my client to your client through a trustful protocol .. kiss my heat seeking missiles!